Information

AdvisoryXSA-201
Public release 2016-11-29 14:48
Updated 2023-12-15 15:35
Version 3
CVE(s) CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818
Title ARM guests may induce host asynchronous abort

Files

advisory-201.txt (signed advisory file)
xsa201-1.patch
xsa201-2.patch
xsa201-3.patch
xsa201-3-4.7.patch
xsa201-4.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 Xen Security Advisory CVE-2016-9815,CVE-2016-9816,CVE-2016-9817,CVE-2016-9818 / XSA-201
                                        version 3

             ARM guests may induce host asynchronous abort

UPDATES IN VERSION 3
====================

Normalize version tags.

ISSUE DESCRIPTION
=================

Depending on how the hardware and firmware have been integrated,
guest-triggered asynchronous aborts (SError on ARMv8) may be received
by the hypervisor.  The current action is to crash the host.

A guest might trigger an asynchronous abort when accessing memory
mapped hardware in a non-conventional way.  Even if device
pass-through has not been configured, the hypervisor may give the
guest access to memory mapped hardware in order to take advantage of
hardware virtualization.

The CVEs are as follows:
 xsa201-1.patch     CVE-2016-9815
 xsa201-2.patch     CVE-2016-9816
 xsa201-3-*.patch   CVE-2016-9817
 xsa201-4.patch     CVE-2016-9818

IMPACT
======

A malicious guest may be able to crash the host.

VULNERABLE SYSTEMS
==================

All Xen versions which support ARM are potentially affected.

Whether a particular ARM systems is affected depends on technical
details of the hardware and/or firmware.

x86 systems are not affected.

MITIGATION
==========

On systems where the guest kernel is controlled by the host rather than
guest administrator, running only kernels which do not expose MMIO to
userspace will prevent untrusted guest users from exploiting this issue.
However untrusted guest administrators can still trigger it unless
further steps are taken to prevent them from loading code into the
kernel (e.g by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.

NOTE REGARDING LACK OF EMBARGO
==============================

The issue was discussed publicly (and has been fixed already in KVM in
public trees).

CREDITS
=======

This issue was discovered by ARM engineering personnel.

RESOLUTION
==========

Applying the appropriate set of attached patched resolves this issue.

xsa201-[1234].patch                                    xen-unstable
xsa201-[12].patch, xsa201-3-4.7.patch, xsa201-4.patch  Xen 4.7.x, Xen 4.6.x

$ sha256sum xsa201*
163aeb9ae3ffce28e0bc95bdfff490d2df6f6f0b85ac1d4f447bea921f0a0dda  xsa201-1.patch
0ba570ed7df172475bc745e02b89670608251634895e5279edcf534619d6d81b  xsa201-2.patch
4045e046473f069c51e5fd579f63563862aa497d945b183c768481ef11885744  xsa201-3.patch
a9cf56564d020675c0f2f1ea15009a712f172be3d53ea8ddf2f48adaac392e76  xsa201-3-4.7.patch
388d548cd4e30883ae100863d33e792869e7dbd86054299a91b64db6d6599919  xsa201-4.patch
$
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b/UMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ1ssIAMiGSDkQVOSFkY6ru8yrTvxD0OwispGpkmU4exzk
fD2vzZ4pvhFlIffOA/D7uLlQ6StS7IwCBXdCrT3t3Ivqxksl/0f5cTESAkrx9zMK
X7RHYYwFl5P0gIvnCfhi194UNSRlJZKzxkNej6/3tXfFpdnhDdO8MFTFpR9l2A0O
fhbzNBjVjZEQFsvNGXyy1sQql3S85wJaTObJqDAnOm/wg2uvllYKIEEzXSszMTvc
B7Qnnrjp30ewBf++42VhAB70j0GN8G0WD1X2hoEjCd+fyvsefjH6SMmyz/pW8VTG
fOfJRbdJhitvDltxA40n3ZXAskWGXdcrv8hFpKJ7g0EshpY=
=JhUi
-----END PGP SIGNATURE-----


Xenproject.org Security Team